One of my first assignments at Anchore was to join the team that builds Platform One for the Air Force. The Defense Department’s (DoD) Platform One is “a collection of software-integrated tools, services and standards that enable partners and programs to develop, deploy and operate applications in a secure, flexible and interoperable fashion.” At the core of the project, there’s a need for a software development pipeline with DoD security and compliance baked into software delivery. This work is mission-critical because it sets the standard for software security across all agencies. Even when goals vary, security reigns supreme.
The process of creating Platform One resulted in valuable takeaways and operational best practices that any organization can use for modern transformation, including three I’d like to share here:
1. If speed is the goal, don’t leave security until the end
Platform One demonstrated the power of “shifting left” for mission-critical software development.
Shifting left is a methodology that moves more security testing activities earlier in the software build cycle. Previously, security happened at the end of the process – outside of the development loop. Since testing often uncovers issues that need to be fixed – causing delayed releases – development and security work against each other. By shifting left, feedback loops shorten, and collaboration increases as development and security work hand in hand. That’s a win-win in my book.
Plus, shifting left is a genuinely transformative technique. Applied correctly, it can lead to massive productivity gains, creating higher quality and more secure products. Simultaneously, it speeds up release cycles, innovating and responding faster in response to market demand. Equally important is that shifting left can lead to a more satisfied workforce, with developer, security and operational teams collaborating without compromising the workflow.
Shifting left also solves a major problem for agencies that are under a time crunch. When development moves slowly, security teams often rush to validate software – not ideal. Additionally, once a program has exhausted its budget in the development phase, it is faced with obtaining a DoD Authority to Operate (ATO), a process that can take up to nine months. Technology that was leading-edge quickly becomes out of date, opening the organization to vulnerabilities.
Software designed and consumed by the DoD – and really any government organization – needs to be developed at a higher velocity, with greater efficiency and a focus on security in order to maintain dominance in the current cybersecurity landscape. Shifting left makes that possible.
2. Automation is a force multiplier
Automation is a friend to developers and security teams. New tools already proven on Platform One can automate security checks and packages for vulnerabilities and security issues before they enter the production environment. Security check automation is key since finding vulnerabilities and security issues as soon as they are built reduces remediation time.
Since the inception of Platform One, we’ve seen many other container-scanning solutions come out of the commercial sector. These tools allow teams to scan images for vulnerabilities against policy and compliance standards before sending them to automated testing. The security team may have requirements or implement standards that block containers in specific packages, ports or user permissions. Or the organization may have a mandated level of compliance, such as Defense Information Systems Agency (DISA) or National Institute of Standards and Technology (NIST) compliance. All can be automatically enforced. The tools can even generate reports that allow developers to pinpoint and resolve issues early.
Automation is therefore a force multiplier. It frees up team resources and personnel while helping control costs and increase velocity.
3. It’s OK to be a control freak
Kubernetes. Container hardening. DevSecOps. The landscape – and the language – at many agencies is changing.
Even though security is essential for all enterprises, the stakes are higher for the DoD, making it an excellent test case. We took additional steps to meet the highest and most rigorous security standards, from detecting insider threats to doing in-depth inspections into an SBOM. The program successfully outlined a path that maintains control over the entire development pipeline, allowing the Air Force – and now others – to utilize cutting-edge container technologies while keeping top brass comfortable with the process – and the results.
There are many more technical lessons to be learned from Platform One, but for organizations adopting new technologies and new mindsets, the program demonstrates how to do transformation at scale within a large enterprise.
Interested in becoming a Featured Contributor? Email topics you’re interested in covering for GovLoop to [email protected] And to read more from our summer/fall 2021 Cohort, here is a full list of every Featured Contributor during this cohort and a link to their stories.
Hayden Smith is a senior engineer with Anchore, a software container security company. Currently, Smith leads developer projects across the Defense Department (DoD) and numerous federal agencies to help government organizations adopt DevSecOps best practices. His work includes building and automating Platform One, a collection of hardened and approved containers for use across agencies.
Smith’s dedication to advancing safe cloud-native development practices has been able to guide, empower, equip and accelerate DoD programs through their DevSecOps journeys. Prior to joining Anchore, Smith was a DevOps and infosecurity technologist with Booz Allen Hamilton, where he worked extensively on FedRAMP compliance. You can connect with Anchore on Twitter and LinkedIn.